Spectre And Meltdown Vulnerabilities. Happy New Year!

Leading Tech Companies, Users Scramble to Secure Devices
And the Wave of Class Action Suits Begins

Spectre and Meltdown Vulnerabilities. Happy New Year!.jpg

Intel has confirmed findings by researchers (including Google’s Project Zero) that the design of chips from Intel, AMD and ARM has – for more than a decade – permitted hackers to access memory on billions of business and consumer devices.

"These hardware bugs allow programs to steal data which [is] currently processed on the computer," the research notes. "While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs."

Spectre and Meltdown attacks enable bad actors to access information stored in device memory, leavening PCs, mobile devices and cloud instances vulnerable to attack; Microsoft, Apple, and Google are rolling out OS-level patches, while experts are advising users take specific immediate steps such as disabling javascript in browsers.

Meltdown enables access to privileged data in memory by using a shortcut on Intel chips originally designed to speed up processing by guessing and acting upon the next steps of tasks in-process - called speculative execution.

"The processor basically runs too far ahead, executing instructions that it should not execute," said Daniel Gruss, a Graz University of Technology expert and part of the team that discovered the Spectre and Meltdown attacks.

Spectre lifts data from the memory of applications running on devices running many Intel, AMD or ARM processors.

The Impact

The flaws impact processors that are used in servers, desktops, as well as mobile devices – primarily because there are very few chip vendors to serve the market and their products are deployed across many platforms.

“Server computers are usually more tightly managed than desktop PCs and mobile devices, so it is less likely that they are infected by malware exploiting these vulnerabilities,” notes Frederik Mennes, Senior Market & Security Strategy Manager with VASCO Data Security’s Security Competence Center. “Devices managed by individual end-users, such as desktops and mobile devices, often do not contain the latest patches, so they might be more likely to become infected by malware exploiting the vulnerabilities.

How Could This Happen?

Atiq Raza, the Chairman & CEO of Virsec Systems, Inc. and former President and COO of AMD, says: “This should not have happened. It may seem like a small, obscure vulnerability, but anytime there is exposure to protected areas in the processor kernel, the results could be serious. Just like a small leak in a water pipe can flood your whole house, the cache being exposed is typically 1,600 bytes, but every time the processors re-syncs, a new batch of data is exposed. A clever hacker could index this data, and potentially access the entire memory space, exposing lots of sensitive data.”

“Granted, it took a very smart set of hackers to expose the vulnerability, but that’s not really an excuse. Hardware processors must go through extensive testing, and the fact that this hole has existing for over 20 years (since the first Pentium chips were released in 1995), in many generations of processors is troubling.”

Noting Intel’s delayed response, Raza notes: “The researchers who discovered this flaw reported it to Intel back in June 2017, yet it seems to have taken months for patches to be rolled out by OS vendors. I’ve been in this situation in the past, where a bug is discovered in hardware. We immediately contacted Microsoft and other OS vendors to alert them and make sure patches were implemented urgently. This should happen in days – not months.”

Mennes advises: “In order to exploit the Spectre and Meltdown vulnerabilities, malicious code needs to be executed on vulnerable microprocessors. Malicious code might consist not only of binaries, but also scripts (e.g. Javascript) running inside browsers. Proof-of-concept exploit code in Javascript is already available. End-users should immediately install patches of browsers (IE, Edge, Chrome, Firefox, etc.) to mitigate the risk.”

“Ultimately, the Spectre and Meltdown vulnerabilities will need to be addressed by microprocessor vendors (Intel, AMD, ARM, etc.) by changing the architecture of the microprocessors. A typical CPU release cycle takes 18 months, so it will take several years before new microprocessors are available and widely deployed.” 

Unfortunately, hardware bugs take time to fix and legacy, vulnerable hardware will exist in the field – as will the consequences of inaction – for years to come, Raza said. “It’s incumbent on the operating system vendors to release patches as soon as possible to plug the holes in the short term until hardware can be upgraded.”

Off To The Court House We Go

With organizations and users begin dealing laborious patching and mitigation processes, plaintiffs in Oregon, California, and Indiana have already filed class action suits, citing the real and potential consequences of the vulnerabilities, performance concerns, the heavy lifting ahead for mitigation and IT teams, and Intel’s delayed public disclosure – all of which are likely to result the largest wave of litigation and price reduction negotiations the industry has seen.

Should the Chip Vendors Be Held Liable? Can They Be?

Christian Vezina, CISO for VASCO, said: “A chip is just another piece of code, albeit, a very complex piece of code. Until manufacturers are made liable for the security of their code we will always see buggy and vulnerable code. But that also raises the question: If chip manufacturers are held liable for the security of their code, couldn’t we apply the same to OS manufacturers, and all other software companies?”

This might be hard to pull off.

“At the end of the day, every piece of technology comes with their own vulnerabilities and drawbacks. Security is about layers of protection. No single technology is a panacea. All must be managed properly – and just about all must be patched at some point.”

Mennes recommends that organizations immediately address the vulnerabilities using a combination of the following:

  • Installing patches at firmware, operating system (e.g. Windows, Android, iOS), and application (e.g. Google Chrome, Microsoft Edge) levels

  • Restricting the applications that can be executed on a machine to a list of trusted applications, for instance using application whitelisting

  • Prohibiting the installation of applications from unknown or untrusted sources

The ultimate fix remains upgrading processors. However, it usually takes about 1.5 years for a new processor design to be released. That means that IT and security teams are likely to be stuck with (and in) this mess for several years while waiting for new designs to become available and widely deployed.